f 

. The Risks Digest Volume 18: Is-ue 16 



Page 1 of 1 1 



m 



m 




31 




THE -RISKS D?6CS? 



Forum on Risks to the Public in Computers and Related Systems 

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator 



• Xerox machine caused nuclear power plant emergency halt 

Magnus Ihse 

• NY Air Route Traffic Control Center computer failure 

Peter Ladkin 

• US Charges Man Planned to Kill 4,000 Travelers 

PGN 

• Assumptions about assumptions at 12 

Ken Knowlton 
9 Re: TILT! Counterfeit pachinko cards ... 
Chiaki Ishikawa 

• Timing out e-mail - "kidsciencenet" spam 

Laurence Brothers 

• Access to psychiatric records 

Bob Frankston 

• Smartcards and medical data standards 

Peter Bray 

• Re: Largest Computer Error in US Banking History? 

Louis Koziarz 
9 Risks of Statistics in RISKS- 18. 13 
Frank Fay 

• Info on RISKS (comp.risks) 



y Xerox machine caused nuclear power plant emergency halt 

Magnus Ihse <d95-mih@nada.kth.se> 

Thu, 30 May 1996 13:16:56 +0200 (METDST) 



Volume 18: Issue 16 



Saturday 1 June 1 996 



Contents 



http://catless.ncl.ac.uk/Risks/18.16.html 



3/14/03 



The Risks Digest Volume 18: 




el6 




Page 2 of 11 



One of the Swedish nuclear reactors, Ringhals 4, was automatically shut down 
during a routine safety check. The last part of the instructions fed into 
the computer was missing, and when the computer safety system noticed that 
the instructions were incomplete, it shut down the reactor. 

So far so good, but why were the instructions incomplete? The Xerox machine 
used to copy the instruction sheet did not include the complete page, and no 
one (except the computer) ever noticed that the instructions were incorrect. 
(Source: TT) 

The risk is obviously that no system is completely fool-proof. I doubt 
anyone ever thought about the correctness of the Xerox machines as part of 
the nuclear power plant safety system. No matter how detailed you planned 
the security system, there will always be some part that could fail. In this 
case, nothing serious happened because the computer detected the error. 
However, this --or similar incidents -- could happen again, and next time 
maybe the error would not be detected. 

Magnus Ihse, Computer Science student, Royal Institute of Technology, Sweden 



The NY ARTCC computer (7 years old) lost significant service capability 
("failed* said the NYT Service's Matthew Wald on 21 May 1996) twice on the 
evening of Monday 20 May; the first time for 23 minutes, and the second time 
for about an hour, one hour later. The NYTS reported (International Herald 
Tribune, Thurs 2 3 May 1996 p2) that it was "running normally' Tuesday as 
technicians tried to figure out the problem. The FAA is wondering about the 
new software installed four days earlier. 

"The office, the New York Air Route Traffic Control Center, handles 
high-altitude and long-distance traffic over New York, Connecticut, New 
Jersey, Pennsylvania and part of the Atlantic Ocean. * (Wald, NYTS, 21 May 
1996) 

There followed the usual: a fail-safe return to older, more inefficient air 
traffic control procedures, leading to a lower traffic saturation limit and 
thus mean delays in departures of about an hour at major airports in the 
area; an increase in the work load of controllers; a deficit of 
safety-related information, including "automatic conflict alert'. 

I note that a deficit of safety-related info does not necessarily lead to 
a reduction in safety: one increases safety margins and pays careful 
attention (which might even increase safety for the short periods involved) . 
These older procedures worked tried and true for decades. Risks might 
increase were an ARTCC system to suffer a service reduction at a time at 
which there were more aircraft in the system than the saturation limit 
for the reduced level of service. Aircraft in the air already under control 
do not just go away, however one can delay entry into Center control by 
delaying aircraft ready for departure and diverting flying traffic due 
to enter Center control (but note the huge area NY ARTCC covers) . I am 
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not aware that such a circumstance has ever occurred, but given the 
projected growth in commercial air traffic, it is something to worry about 
for the future . 

Computers and ATC were discussed in RISKS-17 . 17 (James), 17.18 (Wolper) , 
17.21 (Burstein, Schultz) , 17.24 (PGN) , 17.25 (Runes, Karagianis, Ladkin, 
Pettit) , 17.26 (PGN, Margolin, Zellweger), 17.27 (Gelato) , 17.28 (PGN), 
17.35 (Lucero) , 17.36 (Tignanelli, 2 articles), 17.38 (Ladkin), 17.40 (PGN, 
Ladkin), 17.41 (Tignanelli, Emerson), 17.44 (Goldstein, see also Harding, 
Menon) , 17.49 (PGN), 17.50 (PGN), 17.62 (Kabay) , 17.70 (Wolper). It seems as 
if 1995 was a good vintage ... [Especially if you don't wine too much. PGN] 

ATC Communications were discussed in 17.44 (Harding, Menon), 17.64 (Lucero), 
17.65 (Ladkin) . 

Peter Ladkin 



y US Charges Man Planned to Kill 4,000 Travelers (Reuter) 

"Peter G. Neumann" <neumann@csl.sri.com> 
Fri, 31 May 96 15:46:42 PDT 

Reuter reported on 29 May 1996 that U.S. prosecutors accuse Islamic militant 
Ramzi Ahmed Yousef (a.k.a. Abdul-Basit Balochi) and two others of plotting 
to bomb 12 U.S. jet planes in two days during 1995. Some of the evidence is 
based on a file found in Yousef 's laptop computer, stating that the purpose 
of the bombings was "vengeance and retribution' 1 against the United States 
for its financial, political and military support of Israel. (Yousef will 
be tried later this year for masterminding the 1993 World Trade Center 
bombing that killed six and injured more than 1,000 people. He is also 
accused of placing a bomb on a Philippine Airlines flight from Manila to 
Tokyo on 11 Dec 1994, which killed one passenger and injured 10 others.) 



y 

KenKnowlton <KCKnowlton@aolcom> 
Fri, 31 May 1996 12:00:000001 pm EDT 

Responses to my 12 am/pm = noon/midnight? were mostly of these three forms: 

1. 12 am is midnight, dummy; don't bother me with this. 

2. Either can mean either,* don't use these notations. 

3. Tuesday goes from "12am Tues" to "midnight Tues" (and 12am = midnight)! 
My conclusions: 

1. Be careful in making assumptions about other people's assumptions. 

2. I bet that somewhere in this world there's a routine that occasionally 
time-stamps with the ASCII string "... 12:00 am" and a backup, restore 
or merge routine that later misunderstands the date (misidentifying 
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the most recent version of a file, or whatever) . 



I think I can demonstrate how easy it is to make risky assumptions about 
other people's assumptions, particularly regarding the phenomenon "don't 
need this case --it just couldn't get here." We all know what scalene and 
isosceles and equilateral triangles are, likewise we have crisp ideas about 
squares, rhombuses, rectangles, parallelograms and trapezoids, yes? I 
invite you to demonstrate to yourselves your knowledge of 

inclusion/intersection/exclusion relations among these objects by filling in 
each of the following blanks with a 'No' or 'Some' or 'All'. Use your own 
self-assured knowledge here -- don't use a dictionary or other authority. 
Please *don't* send me your answers unless you can fill in all the blanks 
exactly as you think every responsible geometrician would. Assume that all 
figures are planar and non-degenerate: 



No/Some/All 

equilateral triangles are isosceles triangles. 

equilateral triangles are scalene triangles. 

isosceles triangles are equilateral triangles. 

isosceles triangles are scalene triangles. 

scalene triangles are equilateral triangles. 

scalene triangles are isosceles triangles. 

squares are rhombuses. 

squares are rectangles. 

squares are parallelograms. 

squares are trapezoids. 

rhombuses are squares. 

rhombuses are rectangles. 

rhombuses are parallelograms. 

rhombuses are trapezoids. 

rectangles are squares. 

rectangles are rhombuses. 

rectangles are parallelograms. 

rectangles are trapezoids. 

parallelograms are squares. 

parallelograms are rhombuses. 

parallelograms are rectangles. 

parallelograms are trapezoids. 

trapezoids are squares. 

trapezoids are rhombuses. 

trapezoids are rectangles. 

trapezoids are parallelograms. 



Ken Knowlton 



[... and Ken is NOT a square. While at Bell Labs in the 1960s, his 
programming language BEFLIX pioneered computerized animation; he also 
did L6, among other things. PGN] 



y re: TILT! Counterfeit pachinko cards ... (Wayner, RISKS-18.15 ) 
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I would like to add some background as someone who has played in pachinko 
parlors in Japan. (The origin of the game of pachinko is rather vague. 
Some say it is based on the ball game popular after the WW-II in U.S.A.. 
Anyway, it is a gambling business.) 

The card in question acts as a kind of debit card inside the pachinko 
parlors. It was introduced a few years ago by an former police official, 
with the expressed intention of keeping the money flow easy to track. (I 
would say it was a ruse to make a few companies where the ex-police 
officials can find jobs after retirement from the office. But I digress.) 

The cards are sold to the pachinko parlors and the customers buy the cards 
from the parlors, and obtain steel balls to play the game by inserting the 
card into the slot next to the game machine. 

Pachinko gambling works as follows. When you win the game, the number of 
steel balls in your possession increases and the customer can exchange the 
balls with gifts. (Therein lies a complication. Japanese law prohibits 
gambling, and so exchanging the steel balls with real money is illegal. 
♦However*, first exchanging the balls with gifts, and then exchanging the 
gifts with money at a third party outlet [which is quite likely to be 
operated by the parlor owner] has been allowed by the police.) Speaking of 
loophole! Some people do bring back the gifts to homes: depending on the 
places, parlors carry game -boy cartridges, latest bestseller books, snack 
food such as cookies, instant noodles, umbrella, purse, movie video tape, 
music CD, to name a few as gifts. But if the customer wants to exchange 
his/her win indirectly to money at the outlet, then he/she has to ask for 
special gifts used essentially as money tokens by these establishments. 
These are often a tiny gold/silver foil embedded in thin plastic slab, etc.. 
Each parlor/outlet pair uses different stuff. In my hometown, a special 
brand of silk stocking was used as money token. This whole thing is a farce 
in view of the anti-gambling law in Japan.) 

Back to the card: the cards in question are used by two leading card 
manufacturers. (There are another couple of late-entry companies whose cards 
are not known to be attacked yet.) The card is based on the design done by 
NTT Data. NTT is the Japanese equivalent of old Ma Bell in the USA. NTT 
Data is a company that specializes in computer software integration, 
communication and such. I believe it designs the telephone card (debit card 
used for pay-phone in Japan) , too. 

The pachinko card is the size of name card and plastic. The details are not 
published. To the best of my knowledge, I think there is a magnetic strip 
that contains the card ID information such as its serial number and the 
amount of debit money. 

There were 10,000 yen, 5,000 yen, 3,000 yen, 2,000 yen, and 1,000 yen cards. 
(I said "were" because 10,000 yen and 5,000 yen cards are no longer 
available . ) 

Attack method: 

>From what I saw and read, the first card verification mechanism used by the 
pachinko game machine was so primitive to defy rational explanation: each 
time the card was used, a tiny hole was punched to indicate the amount left 
in the card. As the customer uses the card, the position of the punched hole 
on card shifts toward the zero position. Once there is a hole on the zero 
position, the card is no longer usable. 

The first simple attack as far as I can tell was to fill in the hole in the 
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card with tiny plastic (essentially the chaff produced when the hole is 
punched was used to fill in the hole) . I am not sure if such simple attack 
was possible, but it seemed possible really at the beginning with crude 
modification of the magnetic data. 

Then, of course, the magnetic information on the card was also modified in 
more sophisticated ways when the card was used. 

However, the bad people also learned and somebody stole the reader mechanism 
and figure out the part of the magnetically-coded information: the result 
was that bad people could buy the pristine 10,000 yen card and then uses up 
to 2500 yen of the debit amount legally and then "re-fill" the card to 9500 
yen worth, thus gaining 2000 yen for free again and again. (Until 3000 yen 
was used from the 10,000 yen card, the physical hole was not produced on the 
card, and only the magnetic information was changed. Hence the mere 
counterfeiting of the magnetic information was necessary to "revive" the 
card. No physical re-filling of the card was necessary. Physically 
re -filling the hole is easy to spot visually and was avoided by the bad 
guys . ) 

[I have to confess that the exact amount involved in the counterfeiting 
is a little uncertain. But the general idea still holds.] 



Similar attack was possible with 5,000 yen card. 



Presumably the gain by attacking 3,000 yen, 2,000 yen and 1,000 yen card was 
small compared with the risk, the bad guys didn't attack these cards until 
lately. 

Now the situation is that of cats and mouse. New counterfeiting 
methods and counter-measures follow each other in rapid succession. 

I believe that the cloning of the card was also done. But I don't know the 
details . 



Now, the card companies and pachinko parlors stopped issuing 10,000 yen and 
5,000 yen cards because the damage was so large. 

Also, they have installed special readers to verify the validity of the card 
by incorporating more vigourous checking not available on the readers next 
to the game machine: it used to be that the cards sold could by used by any 
pachinko parlors in Japan. Now cards sold elsewhere have to be verified with 
this machine before used at a local game parlor. Cards sold at the local 
parlor can be used without such checking. 

Already, there are reports of counterfeit-card usage: 

- either the cards are so sophisticated that they can pass the enhanced 
reader . 

- Or the bad guys buy the cards locally and then use some of the 
debit amount and then bring the cards to their factory to re -fill 
and re -use it at the local store again and again. 

The card companies have installed countermeasures in selected stores to the 
cloning of the card by checking the serial number of the card and stopped 
the operation of the whole game machines in the store if a card with the 
serial number of the previously used (finished?) card is ever inserted into 
the game machine . 

Another simple method of fooling the reader was also reported about a month 
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ago. Essentially, it cuts out a long strip of the 3,000 yen card (now the 
most expensive card after 10,000 yen and 5,000 yen card are gone) and 
rotates the strip to invert its direction and then reassembles the card 
again using cement or something. To my surprise, it was reported to be 
deemed valid by some readers (!?) . Apparently some readers only check for 
the position of the hole on fixed position and fooled to believe the card is 
valid if the hole is not in the expected position, etc.. Once not so 
rigorous readers are distributed, it is very difficult to upgrade all of 
them in Japan, I guess. 

The problem is complicated in that the counterfeiting only damages the card 
company. The parlors report the amount of debit money used in their shops 
and then compensated for the amount (less the small surcharge by the card 
company.) This means that every time the counterfeit card is used the card 
company alone loses money and the local parlor doesn't lose. 

There have already been reports of the owners of the pachinko parlors 
involved in the usage of the counterfeit cards. These bad owners allowed 
the bad guys to use the counterfeit cards in their parlors and pass the used 
debit amount to the card company and getting compensated. 

In these cases, the bad guys bring back the money (by simply exchanging the 
phony debit money into the steel balls, and then without playing (they can 
play if they wish), exchange the steel balls to the special gifts, and then 
exchange the gifts with money. [Usually, buying the steel balls and then 
exchanging them with gifts, and subsequently with money leaves you less 
money than you started with. The house always wins. In this case, the bad 
guys started out with counterfeit debit money and ends up with real money, 
so it is OK for the bad guys.] The parlor also gets the money for the used 
debit money. So they win, too. Only the card companies lose. 

Counterfeiting probably has existed since the first money (or ecjuivalent) 
was ever invented. But, it surprised me that NTT Data approached the whole 
scheme so naively, especially since there have been reports of telephone 
card counterfeiting in Japan before. Some of the counterfeiting methods 
reported seemed so simple, and I have a doubt whether NTT Data was serious 
enough to deter counterfeiting. 

At least, I can safely say they have underestimated the ingenuity of the 
counterfeiters badly and didn't learn from the counterfeiting of telephone 
cards very well. 

Ishikawa, Chiaki (family name, given name) 

Personal Media Corp., Shinagawa, Tokyo, Japan 142 ishikawa@personal-media.co.jp 



y Timing out e-mail — "kidsciencenet" spam 



Laurence Brothers <quasar@bellcore.com> 
Wed, 29 May 1996 11:18:38 -0400 



I recently received the following (names deleted to protect the possibly 
innocent) : 



> Subject: kidsciencenet 
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> Hi, our names are XXXXX and XXXXX. We are in the 5th grade at the 

> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX, Massachusetts, USA. We are 

> doing a science project on the Internet. We want to see how many 

> responses we can get back in two weeks. (We are only sending out 2 

> letters) . 
> 

>- Please respond and then send this letter to anyone you communicate 

> with on the Internet. Respond to XXX@tiac.net. 
> 

> 1. Where do you live (state and country)? 

> 2. From whom did you get this letter? 
> 

> Thank you, 

> xxxxxxxxxxxxxxx 

I did NOT delete any original mail headers; the only headers 

were those of some intermediate remailers who had forwarded only the 

contents of the "original" note. 

God help the ISP for tiac.net if this thing spreads as much as it seems 
likely to do. I read this on a msgs board with hundreds of other readers, 
which was only one of the many destination recipients of the intermediate 
link in the chain who remailed this. 

First of all, let's assume this is an honest, innocent post, not a hoax of 
some sort. Let's note to begin with that as indicated by the mail cc 1 s and 
headers, those "2 letters" which were sent out have already been multiplied 
a hundredfold across the internet by people who thought it was a cute idea. 
Let's note further, to our horror, that there is no date on the note 
indicating even when the "two weeks" is up. I'm very much afraid that this 
may go on for decades (if it hasn't already : -0) . 

In fact, by asking around, I've found that at least one 1 posting of this note 
was sent out more than two weeks before the one I saw and copied here. 

The general risks of the deliberate exploitation of wide e-mail distribution 
are obvious and have been discussed many times, but more specifically we can 
see a problem with an intended timed mailing for which the expiration date 
was either lost, modified, or never provided in the first place (as in this 
case) . 

Laurence R. Brothers - quasar@bellcore.com 



y Access to psychiatric records 

<Bob_Frankston @frankston. com > 
Sat, 18 May 1996 14:11 -0400 

There is an article in *The Boston Globe* 18 May 1996 entitled "AG to probe 
access to psychiatric records". As usual, one has to guess what is really 
going on and who is confused about what. 

Apparently a local HMO has been including psychiatric records in its medical 
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history database. The first problem cited was the lack of effective access 
control on that portion of the records. The HMO claims to have "..installed 
software that limits access to the detailed notes 

The other problem is that, apparently, by placing the psychiatric history in 
the medical record it becomes available to insurance agencies once the 
patient has signed a release. 

This seems to be a typical case of the computer forcing an issue that was 
already lurking. Medical records are medical records. It seems that it was 
an implicit (or even explicit) artifact of the paper system that the access 
was controlled and, perhaps, the insurance companies did not get access. And 
this was probably a good policy. But it might not have been legal if the 
insurance companies have access to all records . 

As an aside, I think that under Massachusetts law that patient has access to 
all records which would presumably including the psychiatric transcripts. And 
records mean any scribbles. Am I wrong on this? 

Is this a matter of an issue being forced by the computerization? Does that 
mean we must go back to shoeboxes so that records can be "lost" in order 
protect privacy? 



y Smartcards and medical data standards 

Peter Bray < "pabcse@airmail. net "@server. airmail net> 
Sun, 19 May 1996 10:21:42 -0700 

There is a risk that the rapid and competitive evolution of Smart Card 
technology will result in a proliferation of data format standards that are 
proprietary or national in nature. In particular, information categories 
peripheral to financial transactions could suffer and the potential benefits 
go unrealized in the immediate term. Medical data, particularly physician to 
physician alerts and prescription medications and administration regimes are 
an example. What principles should govern the programme to develop such 
standards?: Keep it simple and extensible and end-use focused. Aim to keep 
it international and spoken language independent. Build in configuration 
management and downward compatibility as medicine and the delivery 
technology evolve. Include communication protocols for further information. 
Do not neglect promotion and training plans for practitioner's. 

Peter Bray pabcse@airmail.net 



y Re: Largest Computer Error in US Banking History? ( RISKS- 
18.14 ) 

"Louis Koziarz" <koziarz@mcs.com> 
Wed, 22 May 1996 22:12:31 -0500 (CDT) 
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(From talking with a knowledgeable friend in the banking/ATM business:) The 
First National Bank of Chicago/Cash Station 'glitch' was apparently the 
result of a programming change intended to support the new out -of -area ATM 
fees being proposed by various banking groups . When the new transaction 
messages were introduced to the network, some systems took the strange new 
codes and transformed them into something they could understand: a posting 
of a huge credit to one ' s account . 

The RISKs here may be more serious than the traditional glitches in 
electronic financial transactions. What should transaction-based systems do 
with unrecognizable or foreign input? 



Part 1 (Computer as Goat) : Post-divorce wage gap statistic turns out to be 
computer error 

This is a rather old story and computer errors are the least of the problems 
here. Readers wishing a fuller well -documented account should see Susan 
Faludi ' s book "Backlash" (1991), 1st edition, pages 19-25. 

According to this account, Weitzman's book "The Divorce Revolution" was 
published in 1985, contains the -73%: 42% figures (for reduction and increase 
in income after the 1st year of divorce) , which are from a small sample size 
(114 men; 114 women) of interviews from a low response rate of the divorcing 
population in Los Angeles County. The financial information is based on the 
memory of those interviewed! As early as 1986 the findings were questioned 
by other divorce researchers whose own data indicated figures of 
-30%:10%-15% (close to the recent -27%: 10% figures for re-analysis of 
Weitzman's data). Requests for Weitzman's data, for re-analysis, remained 
unfulfilled until late 1990 after appeals to the National Science 
Foundation. 

According to the 1996 AP article Weitzman still cannot identify the source 
of the error ("She blames the loss of her original computer data file, a 
weighting error or a mistake in the computer calculations performed by a 
Stanford University research assistant."), and has left the re-analysis of 
her data to other researchers (Richard Peterson in this case) . 

As Faludi * s extensively-documented book points out the conclusions of poorly 
conducted studies have real political and legal consequences. In addition 
they make "social science" more of an oxymoron, and hinder the efforts of 
those researchers who do good, repeatable work in these fields. 

Part 2 : Internet in danger (Nazi hate literature) 

Jim Carroll seems to be misinterpreting the 80% statistic in several ways: 

First, hate literature is likely a small fraction of all literature. 
Therefore 80% of a small number is an even smaller number. 



y Risks of Statistics in RISKS-1 8.1 3 



Frank Fay <f.fay@ieee.org> 
Thu, 23 May 1996 12:06:01 -0700 
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Second, he should find out "what 80% means?". I have seen this figure in 
the past, and I believe the context is regarding published Nazi hate 
literature available by mail in Germany. I am not sure that the figure even 
includes e-mail or the Internet at all. 

Third, the 80% of hate literature originating from Canada statistic does not 
imply "80% of Canadians" at all. Canada as a free-speech nation happens to 
be a convenient safe point from which to send this stuff. Furthermore this 
probably does not imply that the literature was written or published in 
Canada. I would suspect that a good deal of it comes from my country, the 
United States. 

[See a recent Sunday New York Times Magazine cover article for more 
background . ] 

Frank Fay f . f ayOieee . org 
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